-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-EN-09:05.null                                           Errata Notice
                                                          The FreeBSD Project

Topic:          No zero mapping feature

Category:       core
Module:         kern
Announced:      2009-10-02
Credits:        John Baldwin, Konstantin Belousov, Alan Cox, and Bjoern Zeeb
Affects:        All supported versions of FreeBSD.
Corrected:      2009-10-02 18:09:56 UTC (RELENG_8, 8.0-RC2)
                2009-10-02 18:09:56 UTC (RELENG_7, 7.2-STABLE)
                2009-10-02 18:09:56 UTC (RELENG_7_2, 7.2-RELEASE-p4)
                2009-10-02 18:09:56 UTC (RELENG_7_1, 7.1-RELEASE-p8)
                2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE)
                2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7)
                2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.

I.	Background

In the C programming language, address 0 (NULL) is used to represent
unallocated memory.  NULL pointer dereferences are a common class of C
programming bug in which pointers are not properly checked for NULL
before being used.  Dereferencing a NULL pointer normally terminates
execution, via a segmentation fault for user processes, or a page
fault panic in the kernel.

II.	Problem Description

On most architectures, the FreeBSD kernel splits the process virtual
memory address space into two portions: user and kernel.  This
improves system call performance by avoiding a full address space
switch when a process enters the kernel, and improves performance for
kernel access to user memory.

However, in this design, address 0 is part of the user-controlled
portion of the virtual address space.  If the kernel dereferences a
NULL pointer due to a kernel bug, a malicious process that has mapped
code or data at address 0 may be able to manipulate kernel behavior.
For example, if a malicious user process maps code at address 0 and
then triggers a kernel bug in which a NULL function pointer is
invoked, the kernel may execute that code with kernel privilege rather
than panicking.

III.	Impact

This errata patch introduces a mitigation feature in which user
mapping at address 0 is disallowed, limiting the attacker's ability to
convert a kernel NULL pointer dereference into a privilege escalation
attack.

The feature is disabled by default in FreeBSD 7 and lower, and must be
enabled by setting the sysctl(8) variable security.bsd.map_at_zero to
0.  In FreeBSD 8 and later feature is enabled by default.

While extremely rare, certain applications may rely on mapping memory
at address 0.  Careful testing is advised when enabling this feature
when using virtual machines, emulation technologies, and older a.out
format binaries.

Changing the mentioned sysctl(8) variable only affects processes
started after the sysctl(8) variable was set.  Processes started
before the sysctl(8) variable was changed will continue to run with
the setting of the sysctl(8) variable which existed when the processes
was started.

Consequently, to ensure that the sysctl(8) variable affects all
processes, a reboot is required with the sysctl(8) variable configured
as mentioned below.

IV.	Workaround

No workaround is available.

V.	Solution

Perform one of the following:

1) Upgrade your system to 6-STABLE, 7-STABLE, or 8-RC, or to the
RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

Enable feature as mentioned below.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, and 7.2 systems.

a) Download the relevant patch from the location below, and verify the
   detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/EN-09:05/null.patch
# fetch http://security.FreeBSD.org/patches/EN-09:05/null.patch.asc

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/EN-09:05/null6.patch
# fetch http://security.FreeBSD.org/patches/EN-09:05/null6.patch.asc

NOTE WELL: The patch for FreeBSD 7.x can be used on FreeBSD 8, but
does not enable the feature by default!

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

To actually enable the feature in FreeBSD 6.x and 7.x, add the
following to either /boot/loader.conf or /etc/sysctl.conf:

	security.bsd.map_at_zero="0"

VI.	Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_6
  src/sys/kern/kern_exec.c                                      1.275.2.9
RELENG_6_4
  src/UPDATING                                            1.416.2.40.2.11
  src/sys/conf/newvers.sh                                  1.69.2.18.2.13
  src/sys/kern/kern_exec.c                                  1.275.2.8.4.2
RELENG_6_3
  src/UPDATING                                            1.416.2.37.2.18
  src/sys/conf/newvers.sh                                  1.69.2.15.2.17
  src/sys/kern/kern_exec.c                                  1.275.2.8.2.1
RELENG_7
  src/sys/kern/kern_exec.c                                     1.308.2.11
RELENG_7_2
  src/UPDATING                                             1.507.2.23.2.7
  src/sys/conf/newvers.sh                                   1.72.2.11.2.8
  src/sys/kern/kern_exec.c                                  1.308.2.8.2.2
RELENG_7_1
  src/UPDATING                                            1.507.2.13.2.11
  src/sys/conf/newvers.sh                                   1.72.2.9.2.12
  src/sys/kern/kern_exec.c                                  1.308.2.6.2.2
RELENG_8
  src/sys/kern/kern_exec.c                                      1.337.2.3
  src/sys/kern/init_main.c                                      1.303.2.2
- -------------------------------------------------------------------------

Subversion:

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/6/                                                         r197715
releng/6.4/                                                       r197715
releng/6.3/                                                       r197715
stable/7/                                                         r197715
releng/7.2/                                                       r197715
releng/7.1/                                                       r197715
stable/8/                                                         r197714
- -------------------------------------------------------------------------

VII.	References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-09:05.null.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)

iD8DBQFKxltpFdaIBMps37IRAoniAJ9ENWQ431doaje7gXrAfAov5l0FKwCdFRxh
rTmlD1oew/hZTMBuFKM/LSI=
=+ZZf
-----END PGP SIGNATURE-----
